The present invention relates to technology for preventing injection attacks of scripting languages, and more particularly, to a mechanism for preventing SQL injection attacks, including a mechanism for transforming user-input data in a scripting language, and a mechanism for analyzing a script instruction comprising encoded user-input related variables.
A structured query language (SQL) is a standard data query language for use in a database. SQL injection attacks happen as a result of security vulnerability at a database level of an application and thus often pose a threat to a web application. SQL injection attacks are usually targeted at a database through a Website.
FIG. 1a is a schematic view of the framework of a conventional system of accessing an SQL database by means of a webpage. A web client 110 comprises a browser, provides user-input data, and sends the user-input data to a web server 120. Conventional malicious users enter a fragment of an SQL instruction into the web client 110 in attempt to enable an SQL instruction which is new but is not expected by the program developer, that is, a rogue SQL query (or a SQL instruction), to be constructed when a web application in the web server 120 is interpreted, (for example, by downloading the contents of the database to the malicious users), and then send the SQL query from the web server 120 to an SQL server 130. The conventional malicious users enter a string carrying an SQL instruction, but the rogue application designed by the conventional malicious users misses out checking the string; as a result, the SQL instruction carried by the string is mistaken by a database server for a normal SQL instruction and executed, thereby damaging the database server 140. Scripting languages (also known as script languages, or scripting programming languages) similar to SQL, such as Python, Perl, Command line interface, Shell scripts, tool command language (TCL), Bash, and PHP (Personal Home Page or PHP: Hypertext Protocol), are subject to injection attacks in most cases.
An example for the causes of injection attacks is illustrated with FIG. 1b which shows that a username and a password are entered into an SQL database 140. A user enters the string “Rick Wu’--”. As regards the string, (’) and (--) are reserved characters in SQL syntax and represent “the preceding string ends” and “the following character is a comment”, respectively. A web application 160 is interpreted by a script interpreter (such as JavaEE Runtime) of the web server 120 to thereby produce an SQL instruction 170 as follows:
SELECT*FROM Employee WHERE name=‘Rick Wu’--’ AND passwd=″
When the SQL server 130 executes the aforesaid SQL instruction, the reserved character (--) causes its subsequent character to be regarded as a comment (‘AND passwd=″). As a result, any password, entered is ignored, and in consequence malicious users can log in to the SQL database 140 directly. Hence, it is imperative to cope with SQL injection attacks.
For details of SQL injection attacks, visit the Open Web Application Security Project (OWASP) webpage or Wikipedia webpage.
To cope with the aforesaid SQL injection attacks, methods of detecting and preventing SQL injection attacks are disclosed, for example, in U.S. Pat. No. 7,860,842, US20080034424A1, and Tajpour, A, JorJor Zade Shooshtari, M., “EVALUATION OF SQL INJECTION DETECTION AND PREVENTION TECHNIQUES”, Computational Intelligence, Communication Systems and Networks (CICSyN), 2010 Second International Conference on Issue Date: 28-30 Jul. 2010, pages: 216-221, at Location: Liverpool Print ISBN: 978-1-4244-7837-8.